data/reports: add 5 unreviewed reports

- data/reports/GO-2024-2612.yaml - data/reports/GO-2024-2684.yaml - data/reports/GO-2024-2699.yaml - data/reports/GO-2024-2776.yaml - data/reports/GO-2024-2769.yaml Fixes #2612 Fixes #2684 Fixes #2699 Fixes #2776 Fixes #2769 Change-Id: I233aeca23f767773c1238eeec2450617801ae69b Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/591199 LUCI-TryBot-Result: Go LUCI <[email protected]> Reviewed-by: Damien Neil <[email protected]> Commit-Queue: Tatiana Bradley <[email protected]>
golang · Jun 10, 2024 · f74ecab · f74ecab
1 parent afddd60
commit f74ecab
Show file tree

Hide file tree

Showing 10 changed files with 410 additions and 0 deletions.
diff --git a/data/osv/GO-2024-2612.json b/data/osv/GO-2024-2612.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2612",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-2056"
+  ],
+  "summary": "Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon",
+  "details": "Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/gvalkov/tailon",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2056"
+    },
+    {
+      "type": "WEB",
+      "url": "http://seclists.org/fulldisclosure/2024/Mar/14"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gvalkov/tailon#security"
+    },
+    {
+      "type": "WEB",
+      "url": "https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Jim Becher of KoreLogic, Inc."
+    },
+    {
+      "name": "Jaggar Henry of KoreLogic, Inc."
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2612",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2684.json b/data/osv/GO-2024-2684.json
@@ -0,0 +1,53 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2684",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-22780",
+    "GHSA-hwvw-gh23-qpvq"
+  ],
+  "summary": "CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs",
+  "details": "CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/ca17/teamsacs",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-hwvw-gh23-qpvq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22780"
+    },
+    {
+      "type": "WEB",
+      "url": "https://fuo.fi/CVE-2024-22780"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/CA17/TeamsACS/issues/26"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2684",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2699.json b/data/osv/GO-2024-2699.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2699",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2024-28224",
+    "GHSA-5jx5-hqx5-2vrj"
+  ],
+  "summary": "Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama",
+  "details": "Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/jmorganca/ollama",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.29"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-5jx5-hqx5-2vrj"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28224"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ollama/ollama/releases"
+    },
+    {
+      "type": "WEB",
+      "url": "https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2699",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2769.json b/data/osv/GO-2024-2769.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2769",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2022-38183",
+    "GHSA-fhv8-m4j4-cww2"
+  ],
+  "summary": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
+  "details": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
+  "affected": [
+    {
+      "package": {
+        "name": "code.gitea.io/gitea",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.16.9"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-fhv8-m4j4-cww2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38183"
+    },
+    {
+      "type": "WEB",
+      "url": "https://blog.gitea.io/2022/07/gitea-1.16.9-is-released"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/pull/20133"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/go-gitea/gitea/pull/20196"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2769",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/osv/GO-2024-2776.json b/data/osv/GO-2024-2776.json
@@ -0,0 +1,70 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2024-2776",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2021-43350",
+    "GHSA-mg2c-rc36-p594"
+  ],
+  "summary": "Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol",
+  "details": "Apache Traffic Control Traffic Ops Vulnerable to LDAP Injection in github.com/apache/trafficcontrol",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/apache/trafficcontrol",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "5.1.0+incompatible"
+            },
+            {
+              "fixed": "5.1.4+incompatible"
+            },
+            {
+              "introduced": "6.0.0+incompatible"
+            },
+            {
+              "fixed": "6.0.1+incompatible"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {}
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-mg2c-rc36-p594"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43350"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2021/11/11/3"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2021/11/11/4"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2021/11/17/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://trafficcontrol.apache.org/security"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2024-2776",
+    "review_status": "UNREVIEWED"
+  }
+}
diff --git a/data/reports/GO-2024-2612.yaml b/data/reports/GO-2024-2612.yaml
@@ -0,0 +1,22 @@
+id: GO-2024-2612
+modules:
+    - module: github.com/gvalkov/tailon
+      unsupported_versions:
+        - version: 'affected at 4.50 (default: unaffected)'
+          type: cve_version_range
+      vulnerable_at: 1.1.0
+summary: Artica Proxy Loopback Services Remotely Accessible Unauthenticated in github.com/gvalkov/tailon
+cves:
+    - CVE-2024-2056
+credits:
+    - Jim Becher of KoreLogic, Inc.
+    - Jaggar Henry of KoreLogic, Inc.
+references:
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-2056
+    - web: http://seclists.org/fulldisclosure/2024/Mar/14
+    - web: https://github.com/gvalkov/tailon#security
+    - web: https://korelogic.com/Resources/Advisories/KL-001-2024-004.txt
+source:
+    id: CVE-2024-2056
+    created: 2024-06-06T16:15:26.949858-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2684.yaml b/data/reports/GO-2024-2684.yaml
@@ -0,0 +1,21 @@
+id: GO-2024-2684
+modules:
+    - module: github.com/ca17/teamsacs
+      unsupported_versions:
+        - version: 1.0.2
+          type: last_affected
+      vulnerable_at: 1.0.3
+summary: CA17 TeamsACS Cross Site Scripting vulnerability in github.com/ca17/teamsacs
+cves:
+    - CVE-2024-22780
+ghsas:
+    - GHSA-hwvw-gh23-qpvq
+references:
+    - advisory: https://github.com/advisories/GHSA-hwvw-gh23-qpvq
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-22780
+    - web: https://fuo.fi/CVE-2024-22780
+    - web: https://github.com/CA17/TeamsACS/issues/26
+source:
+    id: GHSA-hwvw-gh23-qpvq
+    created: 2024-06-06T16:16:42.764735-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2699.yaml b/data/reports/GO-2024-2699.yaml
@@ -0,0 +1,20 @@
+id: GO-2024-2699
+modules:
+    - module: github.com/jmorganca/ollama
+      versions:
+        - fixed: 0.1.29
+      vulnerable_at: 0.1.28
+summary: Ollama DNS rebinding vulnerability in github.com/jmorganca/ollama
+cves:
+    - CVE-2024-28224
+ghsas:
+    - GHSA-5jx5-hqx5-2vrj
+references:
+    - advisory: https://github.com/advisories/GHSA-5jx5-hqx5-2vrj
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-28224
+    - web: https://github.com/ollama/ollama/releases
+    - web: https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224
+source:
+    id: GHSA-5jx5-hqx5-2vrj
+    created: 2024-06-06T16:17:36.326182-04:00
+review_status: UNREVIEWED
diff --git a/data/reports/GO-2024-2769.yaml b/data/reports/GO-2024-2769.yaml
@@ -0,0 +1,23 @@
+id: GO-2024-2769
+modules:
+    - module: code.gitea.io/gitea
+      versions:
+        - fixed: 1.16.9
+      vulnerable_at: 1.16.8
+summary: Gitea allowed assignment of private issues in code.gitea.io/gitea
+cves:
+    - CVE-2022-38183
+ghsas:
+    - GHSA-fhv8-m4j4-cww2
+unknown_aliases:
+    - BIT-gitea-2022-38183
+references:
+    - advisory: https://github.com/advisories/GHSA-fhv8-m4j4-cww2
+    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-38183
+    - web: https://blog.gitea.io/2022/07/gitea-1.16.9-is-released
+    - web: https://github.com/go-gitea/gitea/pull/20133
+    - web: https://github.com/go-gitea/gitea/pull/20196
+source:
+    id: GHSA-fhv8-m4j4-cww2
+    created: 2024-06-06T16:18:38.02836-04:00
+review_status: UNREVIEWED